Skip to main content

WP Directory Kit CVE-2026-39531

| EUVDEUVD-2026-31291 CRITICAL
SQL Injection (CWE-89)
2026-05-21 Patchstack GHSA-q5xx-h8cq-mvvf
9.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
May 21, 2026 - 16:30 vuln.today

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Wp Directory Kit WP Directory Kit allows Blind SQL Injection.

This issue affects WP Directory Kit: from n/a through 1.5.0.

AnalysisAI

Blind SQL injection in the WP Directory Kit WordPress plugin (versions up to and including 1.5.0) allows remote unauthenticated attackers to inject SQL commands through improperly neutralized input. With a CVSS 9.3 (scope-changed) rating from Patchstack, successful exploitation can expose sensitive database contents and partially impact availability across the WordPress installation. No public exploit identified at time of analysis and the plugin is not currently listed in CISA KEV.

Technical ContextAI

WP Directory Kit is a WordPress plugin used to build directory listing sites (businesses, members, classifieds). The flaw is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), meaning user-supplied input is concatenated into SQL queries without proper parameterization or escaping via WordPress's $wpdb->prepare() API. Because the impact is 'blind', the attacker does not receive direct query output and instead infers data via boolean or time-based side channels. The CPE cpe:2.3:a:wp_directory_kit:wp_directory_kit:*:*:*:*:*:*:*:* covers all released versions through 1.5.0.

RemediationAI

No vendor-released patch identified at time of analysis - the Patchstack advisory lists the issue only against versions through 1.5.0 without a confirmed fixed version in the provided data, so administrators should monitor https://patchstack.com/database/wordpress/plugin/wpdirectorykit/vulnerability/wordpress-wp-directory-kit-plugin-1-5-0-sql-injection-vulnerability and the plugin's WordPress.org page and upgrade to any release above 1.5.0 once published. Until a fix is available, deactivate and remove the WP Directory Kit plugin if business-tolerable, since this immediately removes the vulnerable code path at the cost of losing directory functionality. As compensating controls, place the site behind a WAF such as Patchstack mTrap, Wordfence, or Cloudflare with SQLi rules enabled and specifically block requests containing SQL meta-characters to the plugin's AJAX/REST endpoints (note this may break legitimate searches with apostrophes), restrict access to the directory pages to authenticated users via plugin or .htaccess rules where feasible, and rotate WordPress secret keys plus force-reset user passwords if exploitation is suspected because hashed credentials may have been exfiltrated.

CVE-2024-3217 HIGH
8.8 Apr 05

The WP Directory Kit plugin for WordPress is vulnerable to SQL Injection via the 'attribute_value' and 'attribute_id' pa

CVE-2025-13390 CRITICAL POC
10.0 Dec 03

The WP Directory Kit plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1

CVE-2023-2278 CRITICAL POC
9.8 Jun 13

The WP Directory Kit plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 1.1.9

CVE-2023-2351 MEDIUM POC
6.5 Jun 13

The WP Directory Kit plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a m

CVE-2023-2835 MEDIUM POC
6.1 Jun 02

The WP Directory Kit plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'search' parameter in

CVE-2023-2277 MEDIUM POC
6.1 Jun 13

The WP Directory Kit plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including,

CVE-2026-42672 CRITICAL
9.3 Jun 01

Blind SQL injection in the WP Directory Kit WordPress plugin (versions up to and including 1.5.1) allows remote unauthen

CVE-2026-39534 HIGH
7.5 Jun 15

Unauthenticated broken access control in the WP Directory Kit WordPress plugin (versions ≤ 1.5.0) allows remote attacker

CVE-2024-29774 HIGH
7.1 Mar 27

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WpDirectoryKit WP

CVE-2023-2280 MEDIUM
6.5 Jun 09

The WP Directory Kit plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a m

CVE-2024-37487 MEDIUM
6.1 Jul 21

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in wpdirectory

CVE-2023-2279 MEDIUM
5.4 Aug 31

The WP Directory Kit plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including,

Share

CVE-2026-39531 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy